cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
279
Views
0
Helpful
5
Replies
Beginner

Help implementing FMC with AD and ISE

Hello


I aim to implement FMC by utilising:


1) Active Directory for creating Access Control rules based on AD Groups

2) ISE as an Identity source


I intend user's login ID should be visible in the all logs, also I do not want to use User agent as an Identity Source, I want to use ISE.

 

So far I configured the following:


1) Successfully added AD as a realm, and able to download Users and Groups

2) Added ISE as Identity Source, added pxGrid Server CA, MNT Server CA and FMC Server Certificates, "Test" works successfully.

 


I created an access policy

Rule 1:


Source Zone / Source Destination : Any / Any

Under 'Users' tab, I select an AD group who I want to restrict access and select appropriate 'Applications' and 'URLs'.


Then I have some generic Allow / Deny rules.

 

Problem:


1) This doesn't work. The Rule 1 is never processed, and "Default Action (Balanced Security and Connectivity)" is invoked.

2) I don't see user name in the event log either.

3) In AD Realms, though I am able to download users and groups, 'Test AD Join' says 'Test AD join Failed', could this be reason of entire failure?

4) Do I have to configure anything on ISE? I configured the following authorisation rule but I see no hits, I am not an expert on ISE and may have got this completely wrong.

 

ise auth.png

 

I admit I may not have done everything required for this setup, and I seek help for same.


Thank you very much in advance.

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Help implementing FMC with AD and ISE

Thanks Marvin.

 

We resolved this by enabling Passive ID on ISE.

5 REPLIES 5
Hall of Fame Master

Re: Help implementing FMC with AD and ISE

Did you approve your FMC as a pxGrid subscriber (or have auto approval enabled) in ISE?

Beginner

Re: Help implementing FMC with AD and ISE

Hi Marvin Thank you for your response. The auto approval is enabled an pxgrid is connected successfully. 

 

"Connected to pxGrid ciscoise.xxxxx.net" is what I see when I go to Administration then PXGrid Services.

Beginner

Re: Help implementing FMC with AD and ISE

Somehow I can't edit my initial post

 

"Initiator User" under event logs says "Unknown user"

Hall of Fame Master

Re: Help implementing FMC with AD and ISE

If the user is never triggering an Authorization rule in ISE then there will be no identity to share with the FMC. Thus I would recommend you focus on the ISE side.

Check your RADIUS live logs in ISE to see what rule is being matched and adjust your policy set accordingly until you have the desired Authorization rule match in ISE. At that point there should be endpoint context that can be shared with FMC.

Beginner

Re: Help implementing FMC with AD and ISE

Thanks Marvin.

 

We resolved this by enabling Passive ID on ISE.